FAQ-MA5200设备出现radius认证被拒绝问题应该如何处理

发布时间:  2012-07-26 浏览次数:  85 下载次数:  0
问题描述

Q:

MA5200设备出现radius认证被拒绝问题应该如何处理?

告警信息
处理过程

A:

RADIUS认证被拒绝,指MA5200发出RADIUS认证请求报文后收到了RADIUS的响应报文,且响应报文为code=3,表示拒绝用户的认证请求,典型的调试报文如下:
* [0.7287560-] RDS-8-02033000:                                                 
  Radius Sent a Packet                                                         
  Server Group: 2                                                               
  Server IP   : 10.164.45.213                                                  
  Protocol: Standard                                                           
  Code    : 1                                                                   
  Len     : 279                                                                
  ID      : 0                                                                  
  [User-name(1)                       ] [12] [user@huawei]                       
  [Challenge-Password(3)] [19] [013936cee9bc74a5350eb8e121a09711c2]                                                                              
  [CHAP-Challenge(60)] [18] [aa4558e27d60d01785eb07c6203c7b0d]
  [NAS-Port(5)                        ] [6 ] [4096]                            
  [Service-Type                       ] [6 ] [2]                               
  [Framed-Protocol(7)                 ] [6 ] [1]                               
  [Calling-Station-Id(31)             ] [19] [00:06:5b:6c:aa:f9]               
  [NAS-Identifier(32)                 ] [9 ] [MA5200F]                         
  [NAS-Port-Type(61)                  ] [6 ] [15]                              
  [NAS-Port-Id(87)] [34] [slot=0;subslot=0;port=1;vlanid=0]
  [NAS-Startup-Timestamp(26-59)       ] [6 ] [1091697485]                      
  [Ip-Host-Addr(26-60)] [35] [255.255.255.255 00:06:5b:6c:aa:f9]
  [Connect_ID(26-26)                  ] [6 ] [0]                               
  [Version(26-254)] [58] [Huawei SmartAX MA5200 Software Ver
sion 2.10 RELEASE 7127]                                                        
  [Domain-name(26-138)                ] [7 ] [huawei]                           
  [NAS-IP-Address(4)                  ] [6 ] [10.164.45.42]                    
 
\\MA5200发出认证请求后收到明确认证拒绝报文,code=3。
* [0.7287570-] RDS-8-02033000:                                                 
  Radius Recieved a Packet                                                     
  Server Group: 2                                                               
  Server IP   : 10.164.45.213                                                  
  Server Port : 1645                                                           
  Protocol: Standard                                                           
  Code    : 3                                                                  
  Len     : 36                                                                 
  ID      : 0                                                                  
  [Reply-Message(18)                  ] [14] [Access Limit]
认证被拒绝典型的trace信息如下:
  --[2004/8/5 11:20:46-][   AAA][0006-5b6c-aaf9]:Send authentication request to RADIUS successfully(UserID = 0)                                                
  --[2004/8/5 11:20:46-][RADIUS][0006-5b6c-aaf9]: Receive authen message from AAA  successfully                                                                
  --[2004/8/5 11:20:46-][RADIUS][0006-5b6c-aaf9]:Send Auth req packet to radius server successfully(IP:10.164.45.213,Port:1645,ID:0 )                          
  --[2004/8/5 11:20:46-][RADIUS][0006-5b6c-aaf9]:Receive Auth reject packet from radius server successfully(IP:10.164.45.213,Port:1645,ID:0 )                  
  --[2004/8/5 11:20:46-][RADIUS][0006-5b6c-aaf9]:Send authen reject to AAA successfully                                                                        
 
\\trace信息中明确打印从RADIUS收到一个拒绝消息,因为RADIUS拒绝认证失败。
 --[2004/8/5 11:20:46-][   AAA][0006-5b6c-aaf9]:Receive authentication reject from RADIUS successfully(UserID = 0)                                            
  --[2004/8/5 11:20:46-][   AAA][0006-5b6c-aaf9]:Fail to authentication because reject by RADIUS server(UserID = 0, Code = 743)
对于此类从RADIUS收到明确拒绝的问题处理比较简单,一般RADIUS在拒绝时会带回明确的原因,带回原因的RADIUS属性号为18,属性名为reply-message,在debugging打印时格式如下:
  [Reply-Message(18)                  ] [14] [Access Limit]
这个属性带回来的描述即为拒绝原因,比如上面这个描述为Access Limit,表示接入限制,即同一个帐号或同一VLAN同时上线的用户数过多。一般来说,通过RADIUS返回来的拒绝原因都可以明确知道拒绝原因,只需要根据拒绝原因来排除问题就可以了。
 
注:不同的RADIUS带回的reply message描述上有一定的区别,如果对有些拒绝消息描述原因不确认时可以向RADIUS厂商咨询。
 
RADIUS在拒绝用户认证时,还有一种情况即RADIUS服务器只返回拒绝但未返回原因,比如:
  [Reply-Message(35)] [14] [RADIUS reject without any reasons]
从返回的消息字面意思为:没有任何原因RADIUS拒绝,如果遇到这种情况,就需要向RADIUS厂商询问并协助定位,因为RADIUS拒绝只有RADIUS才明白拒绝的真正原因,根据RADIUS的定位结果再排除故障即可。
根因

END